Locating a faulty component of an EFSM composition

. When a component of a discrete event system is faulty there is a problem how to locate a faulty component. In this paper, we consider the composition of two Extended Finite State Machines and propose an approach for locating a faulty component using preset and adaptive experiments with Finite State Machines.


Introduction
Telecommunication systems are multi-component systems. When some of components are faulty the behavior of the whole system can be different from that of the specification system. The problem arises how to locate faulty components. In this paper, we propose an approach for locating a faulty component in sequential composition of two Extended Finite State Machines (EFSM). The joint behavior of these components is presented as a composed EFSM. We assume that only one component can have transfer or output faults. Faults of each type are described using a Mutation Machine. Since there are no formal methods for distinguishing two mutation EFSMs, we unfold those EFSMs as classical Finite State Machines (FSM) and use preset and adaptive experiments with FSM for distinguishing two EFSMs.

Preliminaries
A Finite State Machine (FSM) [1] A is a 5-tuple (S, I, O, h, s 0 ) where S is the nonempty finite set of states with the initial state s 0 , I and O are input and output alphabets, h  S  I  O  S is a transition relation. An [2] M is a pair (S, T) where S is the set of states and T is the set of transitions between states of the set S, such that each transition t  T is a 7-tuple (s, i, P, op, up, o, s'), where s and s' are the initial and final states of the transition t; i  I is an input with the set D inp-i of input parameter vectors; o  O is an output with the set D out-o of output parameter vectors; P: D inp- where s is a state of the EFSM and v is a context vector. A pair (i, ) is a parameterized input symbol where   D inp-i. An input sequence of parameterized inputs is a parameterized input sequence; however some of inputs may be non-parameterized. An EFSM is complete if for each state s with an appropriate context vector v and any parameterized input (i, ) there exists at least one transition (s, i, P, op, up, o, s') with the predicate that is true for given (s, v) and (i, ), otherwise the EFSM is partial. If for each state s with an appropriate context vector v and any parameterized input (i, ) there exists at most one transition (s, i, P, op, up, o, s') for which the predicate is true for given (s, v) and (i, ) then the EFSM is called deterministic; otherwise the EFSM is non-deterministic. If a corresponding FSM is big enough the behavior can be described over all input sequences of length l [3], i.e., an FSM that is an l-equivalent of the initial EFSM can be derived. One can simulate a behavior of the FSM under all input sequences of length l accepted at the initial state of the FSM. In general case, the l-equivalent is a partial (possible non-observable) FSM and its behavior coincides with that of the original FSM under all input sequences of length l. Given two FSMs over the same input and output alphabets, the FSMs can be distinguished by a preset or adaptive distinguishing experiment. A preset distinguishing test case is an input sequence such that the output responses to this sequence of the two FSMs do not intersect. Since a corresponding FSM for a given EFSM can be partial and non-observable, an approach proposed in [4] can be applied. Sometimes when two FSMs cannot be distinguished by a preset distinguishing experiment they still can be distinguished by an adaptive distinguishing experiment. An adaptive distinguishing test case is a single-input output-complete connected initialized FSM that has a finite number of traces. In other words, at each intermediate state of the test case only one input with all possible outputs is defined. Such a test case first has been derived for two states of an observable FSM [5,6] and then was extended for any number of states of a non-observable FSM [7]. The test case is a distinguishing test case for the set of states of a given FSM if each trace of the test case from the initial to a deadlock state is a trace at most at one state of the given set of states. Consider an observable FSM S with two initial states s 0 and s 1 in Fig. 1. Let S/1 denote the FSM S with initial state s 0 while S/2 denotes the FSM S with initial state s 1 . A test case P over alphabets I = {i 1 , i 2 } and O = {o 1 , o 2 } is an adaptive distinguishing test case of S/1 and S/2 and is shown in Fig. 2.We also notice that the machines can be separated with a single input, namely, the input i 2 .

Fault detection in sequential composition of two EFSMs
Consider a sequential composition N of two components A 1 and A 2 in Fig. 3.

Fig. 3. A sequential composition of two EFSMs A 1 and A 2 .
Let A 1 = (C, T 1 ) and A 2 = (Q, T 2 ) be completely specified and deterministic EFSMs. We suppose that the set of outputs of A 1 coincides with the set of inputs of A 2 which are not parameterized, i.e., predicates of the EFSM A 2 depend only on context variables. Each transition of an EFSM A 1 is a 6-tuple (c, i, P 1 , up 1 , u out1 , c') and every transition of an EFSM A 2 is a 7-tuple (q, u inp2 , P 2 , op 2 , up 2 , o, q'). [8]. As a formal model, we consider a composition of two Extended Finite State Machines and suppose that only one of two components can be faulty. Moreover, we assume that the faulty component has transfer and/or output faults. In this paper, we describe such faults using a special EFSM called a Mutation Machine MM [9]. Let the component A 1 have transfer or output faults and EFSMs MM Tr1 and MM Out1 describe these faults in the component A 1 . We note that mutation machines can become non-deterministic. EFSMs MM Tr1 @ A 2 and MM Out1 @ A 2 correspond to a behavior of faulty composition N. Let the component A 2 have transfer or output faults and EFSMs MM Tr2 and MM Out2 describe these faults in A 2 . Let EFSMs A 1 @ MM Tr2 and A 1 @ MM Out2 correspond to the behavior of a faulty composition N. To detect transfer or output faults in the composition N one can use a strategy proposed in [4]. An input sequence  is called a separating sequence for states s and s' of an FSM if it is defined at states s and s' and sets of outputs to this sequence at both states do not intersect. An input sequence  is called a separating sequence for two FSMs if it separates initial states of FSMs. If two FSMs that correspond to A 1 @ MM Tr2 and MM Tr1 @ A 2 (or A 1 @ MM Out2 and MM Out1 @ A 2 ) without traces of the specification composed FSM can be distinguished by a preset or adaptive experiment, i.e., there exists a separating sequence or an adaptive test case such that after applying this test case, then we could learn which component is faulty after applying such a test case. If there is no chance to construct FSMs corresponded to A 1 @ MM Tr2 and MM Tr1 @ A 2 (or A 1 @ MM Out2 and MM Out1 @ A 2 ) due to their complexity then an approach based on l-equivalents can be used. For each mutation machine input sequences and corresponding traces are derived for both machines one by one and each two traces are checked for the distinguishability. In this case, it is unnecessary to construct the composed EFSM; it is sufficient to model the behavior of the compositions on input sequences of length l. Experiments with telecommunication protocols [10] show that more than 80 % of transfer and output faults in protocol implementations can be detected using 5-equivalents of corresponding EFSMs. An example of utilizing a proposed approach for sequential composition of two FSMs is given below. Consider component FSMs in Figs 3a and 3b and assume that a transition shown in bold can have any transition or output fault.  . Fig. 4b. The mutation machine for the tail component FSM.

The composition of A 1 and A 2 is an EFSM
By direct inspection, one can assure that the machines in Figs 4a and 4b can be distinguished by the input sequence i 2 i 2 i 1 . If the output sequence to i 2 is z 2 then only the tail component can be faulty. If the output sequence to i 2 is z 1 then the next input i 2 is applied. If the output to the next input i 2 is z 1 then only the head component can be faulty. If the output sequence to i 2 is z 2 then the next input i 1 is applied. Output sequences to i 1 are different and both mutation machines are distinguished. In case when a separating sequence does not exist, one can try to construct an adaptive distinguishing test case [7]. If an adaptive distinguishing test case exists then based on the output response of the composition to this adaptive test case one can conclude which component FSM is faulty.